Add support for ECS exec

packages/amazon-ssm-agent/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "amazon-ssm-agent"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "build.rs"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/aws/amazon-ssm-agent/archive/3.2.815.0/amazon-ssm-agent-3.2.815.0.tar.gz"
+sha512 = "724b659f7141dc9c797288f109b35c2a516f08f843d472da0d44f1a04c5fbce30fd8df0cde95be355ca2a710b146c89e1ee3bb5905c297a90b3aaccf78d9da8b"
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/amazon-ssm-agent/amazon-ssm-agent.spec

@@ -0,0 +1,50 @@
+# Don't generate debug packages because we are compiling without CGO,
+# and the `gc` compiler doesn't append the  the ".note.gnu.build-id" section
+# https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID
+%global debug_package %{nil}
+
+%global goproject github.com/aws
+%global gorepo amazon-ssm-agent
+%global goimport %{goproject}/%{gorepo}
+
+Name: %{_cross_os}amazon-ssm-agent
+Version: 3.2.815.0
+Release: 1%{?dist}
+Summary: An agent to enable remote management of EC2 instances
+License: Apache-2.0
+URL: https://github.com/aws/amazon-ssm-agent
+Source0: %{gorepo}-%{version}.tar.gz
+BuildRequires: %{_cross_os}glibc-devel
+
+%description
+%{summary}.
+
+%prep
+%setup -n %{gorepo}-%{version}
+
+%build
+%set_cross_go_flags
+
+# Set CGO_ENABLED=0 to statically link binaries that will be bind-mounted by the ECS agent
+CGO_ENABLED=0 go build ${GOFLAGS} -installsuffix cgo -a -ldflags "-s" -o amazon-ssm-agent \
+  ./core/agent.go ./core/agent_unix.go ./core/agent_parser.go
+CGO_ENABLED=0 go build ${GOFLAGS} -installsuffix cgo -a -ldflags "-s" -o ssm-agent-worker \
+  ./agent/agent.go ./agent/agent_unix.go ./agent/agent_parser.go
+CGO_ENABLED=0 go build ${GOFLAGS} -installsuffix cgo -a -ldflags "-s" -o ssm-session-worker \
+  ./agent/framework/processor/executer/outofproc/sessionworker/main.go
+
+%install
+# Install the SSM agent under 'libexecdir', since it is meant to be used by other programs
+install -d %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}
+for b in amazon-ssm-agent ssm-agent-worker ssm-session-worker; do
+  install -D -p -m 0755 ${b} %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}
+done
+
+%cross_scan_attribution go-vendor vendor
+
+%files
+%license LICENSE
+%{_cross_attribution_file}
+%{_cross_attribution_vendor_dir}
+%dir %{_cross_libexecdir}/amazon-ssm-agent
+%{_cross_libexecdir}/amazon-ssm-agent

packages/amazon-ssm-agent/build.rs

@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}

packages/amazon-ssm-agent/pkg.rs

@@ -0,0 +1 @@
+// not used

packages/ecs-agent/0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch

@@ -0,0 +1,67 @@
+From c9f3e2e695fa0c426c7c9196354c5ac7f138845a Mon Sep 17 00:00:00 2001
+From: Arnaldo Garcia Rincon <[email protected]>
+Date: Wed, 3 May 2023 18:23:40 +0000
+Subject: [PATCH] execcmd: change execcmd directories for Bottlerocket
+
+The ECS agent performs checks on directories that, in normal
+circumstances, are mounted on the ECS agent container.  Since the ECS
+agent runs as a service in Bottlerocket, the paths to the directories
+are different.
+
+Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
+---
+ agent/app/agent_capability_unix.go              | 2 +-
+ agent/engine/execcmd/manager_init_task_linux.go | 4 ++--
+ agent/engine/execcmd/manager_linux.go           | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/agent/app/agent_capability_unix.go b/agent/app/agent_capability_unix.go
+index 51b4393..76492c7 100644
+--- a/agent/app/agent_capability_unix.go
++++ b/agent/app/agent_capability_unix.go
+@@ -37,7 +37,7 @@ const (
+ 	SSE41                 = "sse4_1"
+ 	SSE42                 = "sse4_2"
+ 	CpuInfoPath           = "/proc/cpuinfo"
+-	capabilityDepsRootDir = "/managed-agents"
++	capabilityDepsRootDir = "/usr/libexec/amazon-ecs-agent/managed-agents"
+ )
+
+ var (
+diff --git a/agent/engine/execcmd/manager_init_task_linux.go b/agent/engine/execcmd/manager_init_task_linux.go
+index 05af158..6117e55 100644
+--- a/agent/engine/execcmd/manager_init_task_linux.go
++++ b/agent/engine/execcmd/manager_init_task_linux.go
+@@ -24,7 +24,7 @@ import (
+ )
+
+ const (
+-	ecsAgentExecDepsDir = "/managed-agents/execute-command"
++	ecsAgentExecDepsDir = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command"
+
+ 	// ecsAgentDepsBinDir is the directory where ECS Agent will read versions of SSM agent
+ 	ecsAgentDepsBinDir   = ecsAgentExecDepsDir + "/bin"
+@@ -40,7 +40,7 @@ const (
+ 	ContainerLogDir    = "/var/log/amazon/ssm"
+ 	ECSAgentExecLogDir = "/log/exec"
+
+-	HostCertFile            = "/var/lib/ecs/deps/execute-command/certs/tls-ca-bundle.pem"
++	HostCertFile            = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command/certs/tls-ca-bundle.pem"
+ 	ContainerCertFileSuffix = "certs/amazon-ssm-agent.crt"
+
+ 	ContainerConfigFileSuffix = "configuration/" + containerConfigFileName
+diff --git a/agent/engine/execcmd/manager_linux.go b/agent/engine/execcmd/manager_linux.go
+index 706d5da..6322816 100644
+--- a/agent/engine/execcmd/manager_linux.go
++++ b/agent/engine/execcmd/manager_linux.go
+@@ -16,6 +16,6 @@
+ package execcmd
+
+ const (
+-	hostExecDepsDir = "/var/lib/ecs/deps/execute-command"
++	hostExecDepsDir = "/usr/libexec/amazon-ecs-agent/managed-agents/execute-command"
+ 	HostBinDir      = hostExecDepsDir + "/bin"
+ )
+-- 
+2.39.2
+

packages/ecs-agent/Cargo.toml

@@ -41,3 +41,4 @@ glibc = { path = "../glibc" }
 # docker-engine = { path = "../docker-engine" }
 # `iptables` is only needed at runtime, and is pulled in by `release`.
 # iptables = { path = "../iptables" }
+amazon-ssm-agent = { path = "../amazon-ssm-agent" }

packages/ecs-agent/ecs-agent.spec

@@ -68,13 +68,17 @@ Patch0004: 0004-bottlerocket-remove-unsupported-CNI-plugins.patch
 # Bottlerocket-specific - fix procfs path for non-containerized ECS agent
 Patch0005: 0005-bottlerocket-fix-procfs-path-on-host.patch
 
+# Bottlerocket-specific - fix ECS exec directories
+Patch0006: 0006-execcmd-change-execcmd-directories-for-Bottlerocket.patch
+
 # Bottlerocket-specific - filesystem location for ECS CNI plugins
 Patch1001: 1001-bottlerocket-default-filesystem-locations.patch
 
 BuildRequires: %{_cross_os}glibc-devel
 
 Requires: %{_cross_os}docker-engine
 Requires: %{_cross_os}iptables
+Requires: %{_cross_os}amazon-ssm-agent
 
 %description
 %{summary}.
@@ -248,6 +252,27 @@ install -D -p -m 0644 %{S:102} %{buildroot}%{_cross_tmpfilesdir}/ecs.conf
 install -D -p -m 0644 %{S:103} %{buildroot}%{_cross_sysctldir}/90-ecs.conf
 install -D -p -m 0644 %{S:104} %{buildroot}%{_cross_templatedir}/ecs.config
 
+# Directory for agents used by the ECS agent, e.g. SSM, Service Connect
+%global managed_agents %{_cross_libexecdir}/amazon-ecs-agent/managed-agents
+install -d %{buildroot}%{managed_agents}
+
+# Directory for ECS exec artifacts
+%global ecs_exec_dir %{managed_agents}/execute-command
+install -d %{buildroot}%{ecs_exec_dir}
+
+# The ECS agent looks for real versioned directories under bin, symlinks will be
+# ignored. Thus, link the bin directory in the ssm-agent directory which contains
+# the versioned binaries.
+ln -rs %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin %{buildroot}/%{ecs_exec_dir}/bin
+
+# The ECS agent generates and stores configurations for ECS exec sessions inside
+# "config", thus reference it with a symlink to a directory under /var
+ln -rs %{buildroot}%{_cross_localstatedir}/ecs/managed-agents/execute-command/config %{buildroot}%{ecs_exec_dir}/config
+
+# Use the host's certificates bundle for ECS exec sessions
+install -d %{buildroot}%{ecs_exec_dir}/certs
+ln -rs %{buildroot}%{_cross_sysconfdir}/pki/tls/certs/ca-bundle.crt %{buildroot}%{ecs_exec_dir}/certs/tls-ca-bundle.pem
+
 # Prepare license and vendor information so it can be co-installable
 mv %{ecscni_gorepo}-%{ecscni_gitrev}/LICENSE %{ecscni_gorepo}-%{ecscni_gitrev}/LICENSE.%{ecscni_gorepo}
 mv %{vpccni_gorepo}-%{vpccni_gitrev}/LICENSE %{vpccni_gorepo}-%{vpccni_gitrev}/LICENSE.%{vpccni_gorepo}
@@ -289,6 +314,7 @@ mv %{vpccni_gorepo}-%{vpccni_gitrev}/vendor go-vendor/%{vpccni_gorepo}
 %{_cross_libexecdir}/amazon-ecs-agent/ecs-eni
 %{_cross_libexecdir}/amazon-ecs-agent/ecs-ipam
 %{_cross_libexecdir}/amazon-ecs-agent/vpc-branch-eni
+%{_cross_libexecdir}/amazon-ecs-agent/managed-agents
 %{_cross_unitdir}/ecs.service
 %{_cross_unitdir}/etc-ecs.mount
 %{_cross_tmpfilesdir}/ecs.conf

packages/ecs-agent/ecs-tmpfiles.conf

@@ -1,2 +1,5 @@
 d /var/lib/ecs/data 0700 root root
 d /var/log/ecs 0755 root root
+d /var/log/ecs/exec 0755 root root -
+R /var/ecs/managed-agents - - - -
+d /var/ecs/managed-agents/execute-command/config 0750 root root -